Re: [OPSEC] I-D Action: draft-ietf-opsec-ipv6-eh-filtering-07.txt

Michael Dougherty <jerniman@jernilan.net> Thu, 21 January 2021 01:31 UTC

Return-Path: <jerniman@jernilan.net>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D54363A167A; Wed, 20 Jan 2021 17:31:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.701
X-Spam-Level:
X-Spam-Status: No, score=-1.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (bad RSA signature)" header.d=netorgft3201145.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UgNuQTWNN_TE; Wed, 20 Jan 2021 17:31:42 -0800 (PST)
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (mail-bn8nam11on2134.outbound.protection.outlook.com [40.107.236.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2916E3A0AD5; Wed, 20 Jan 2021 17:31:41 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hcsgYid8Okyy3SjOeTLYroteKHf8B4M/skBusrTdp2aloR1WMCyCsLgZb/vLlluzmavxDHyvDErf0EF8nGRsZ1XQgLuourVXbAuyNteFmbfswLsJW0qh2g2SBYdh+nNUctvn7+oJX1MyaeqI1F7PxLe39eImBOOdd0TL08hStoOaib0Z1ywRF486lPjoJQvUhFM2JuOWUnicP7nxoHQQ07iyzHetfuD5Y7zx47RJ1evxkmAEHXo4CIxyeI3+DGBSojO/+5uNztAdfRX6Q3wqlVrJYbNsuyhNn3MafF+Rncesr991Fhx1GDT+hMwqkJtC0V8L+3+d8DlkKsnmiMJO8A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=basjfGAPVFDNRpCQyzKkcAQkR+5JoMkkb6HpKReMIb4=; b=Fvmqbm4iCuUSa0rY4qMbHFcvOuDXzkPnofNRnw1j4ChzjlV4b+iiaZPrstOpIBv8JYIA80WP9Q0g5+pr/hcpCWXlcVQGeig2qbEovo5GnYtsPc8iwES0AhKQHlHLrIPZlkD+rbSMt4hEyKJ7pjCivmrkHee8wKHLvC/20XsHz8wEQUYBteC9qMPw2+9L/K5nT8SFsbRVWImETanWIm4UPWK1y8k+nKT9OHvw1SelZFT6LMZbaAK5TBDgAIJK9jYmq2BlFoXPA2rLUswHLSLWY5es4CDtzkz146VNAzaY0/PLZi1w3rr2CWOOsTAak04yetJhCaXTKYJ6dcR3ZAJJAg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jernilan.net; dmarc=pass action=none header.from=jernilan.net; dkim=pass header.d=jernilan.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=NETORGFT3201145.onmicrosoft.com; s=selector2-NETORGFT3201145-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=basjfGAPVFDNRpCQyzKkcAQkR+5JoMkkb6HpKReMIb4=; b=Tj2wHkyywm+RL2P51JrFlptzMoySxTy3SZNGcX1zPrq9V2LmB/MUqKGRQp5AaFVBWnKkJExNdst+W2ZrWB9yWFqNSthb13d5D9x35Qjj1hz6HgL6Q5wVtyd2adtq+5J1vG4ZQs2ym1gZbbhr7xwzfEaQID50xLd7cFEhlp391Ec=
Received: from (2603:10b6:208:8d::33) by MN2PR13MB3024.namprd13.prod.outlook.com (2603:10b6:208:150::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3784.7; Thu, 21 Jan 2021 01:31:37 +0000
Received: from BL0PR13MB4305.namprd13.prod.outlook.com ([fe80::51f0:c837:a740:1811]) by BL0PR13MB4305.namprd13.prod.outlook.com ([fe80::51f0:c837:a740:1811%5]) with mapi id 15.20.3805.006; Thu, 21 Jan 2021 01:31:31 +0000
From: Michael Dougherty <jerniman@jernilan.net>
To: "opsec@ietf.org" <opsec@ietf.org>, "i-d-announce@ietf.org" <i-d-announce@ietf.org>
CC: "fgont@si6networks.com" <fgont@si6networks.com>, "liushucheng@huawei.com" <liushucheng@huawei.com>
Thread-Topic: I-D Action: draft-ietf-opsec-ipv6-eh-filtering-07.txt
Thread-Index: AQHW75UlVWnMVCkYlEW/zk7f17ZMdg==
Date: Thu, 21 Jan 2021 01:31:31 +0000
Message-ID: <D1128302-7FEB-4DE3-A859-364129A2C762@jernilan.net>
References: <161109288484.2686.1614871839620987885@ietfa.amsl.com>
In-Reply-To: <161109288484.2686.1614871839620987885@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=jernilan.net;
x-originating-ip: [2601:146:4000:1e24:f934:1f7d:9379:f880]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 73dfcae4-c0d2-49ae-8909-08d8bdac486a
x-ms-traffictypediagnostic: MN2PR13MB3024:
x-microsoft-antispam-prvs: <MN2PR13MB3024E0E3588DD90F370EAD31AAA19@MN2PR13MB3024.namprd13.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: odG0lf+kkEFmWpcsnAvEPpcsXMl9uFCrwtIg3xMiaN5werC/pLpbIj2M4Uh8xx0ODiVakZbhyln/p9jlGHMES/+YdYz6u+CDRb+k4GOlK1Z2wtHWI+PPtG3AXHuebzY3uTHOC9cYmH9hB0FVSg9x3s7MfLQfYhsHe4Ye1LX4kWFetVY4/qDmfJDMzhQ6ZaVW2kxOaiHWB+6f8H5tXiENILQnLgMLBck44VL2mX2Rfu3MHJ5W1XZi+GVzynzkYzgcfAhZW5fAIDHqRTAd5YuSoBbRqlMIzuc24kZIThDcTjVcQjKZjxSHAuHEGI9D4kOI9t65rM+S09ZcvAsKKGXS2Z2soKuaZwXE5CoxM6IITfNvDUnqHrgsxJ3hUnoncxG3ZtfIfyqIS81db9rGAyAvEmixkyvEIjSzYgCcNSjuUr3SA6u9Cv5mcemwsV3bZ4FZV2xDzTbgJpugAVUUWuSfevUqUPh3KjsCmy3uqkOs+326zmesPyN+bxrWkji7mdi5VXCZzlzJj1AhgIcbtRL6Ig==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BL0PR13MB4305.namprd13.prod.outlook.com; PTR:; CAT:NONE; SFS:(376002)(39830400003)(366004)(396003)(136003)(346002)(66446008)(6506007)(64756008)(66476007)(71200400001)(66556008)(86362001)(508600001)(4326008)(66946007)(76116006)(36756003)(5660300002)(6512007)(8936002)(110136005)(66574015)(83380400001)(33656002)(2616005)(966005)(54906003)(8676002)(2906002)(186003)(6486002)(316002)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: kd72YUCCp5xmfRBUttZdIiYKx3pUH/tWTZqzUGm0GOSp1sWSBaShZ4XKj6O6C7ibv9ls4zroAhadou+GE2U1n0KSaseaj3oAOd7qhsLujMFFDRSpUQlR5sx02XjOIyJiZKgev9rdhZ3jd4Rfdtf33MAxWlm9Ja+QslSVtp7k6VZ893+a1kJotmac3M9lUfQmk5fAe15aZFAoDCFmDwbarCG0ylbBzt8hNuPKF8J6B9gHGyL7GGdV+F+A/mODfed22OcuoRgyI1Hx16M6FJR2V4xiKYtA/7Ry47yzdOLrLtJ7eC7SXz9QkHloR9KHmKnHVjPNB9T2Cy79hN5Rh7Sila38V7LhPrOu7hDeNLAxRPyOLIideVmfOZSYf7Zjf3Vic2Cy2f3c6n7TEyEEXw6kkTE7Cpy52b5LxKVVeHTXVp7CD9xGKtDUTSXAuVhK4YjPaDg0h7z7BT2okbaQ1ybOzXp3SLp73fvVy6eRIZU47z5X7CsWFs37oLYVU5z1/iKMjUZYF7Ts4vY7XfvMAtDkrz/sZZuOtP++lpPhMImy9Vj9uyQYkTX8J0ie+i3uoiV9NbSJ5juickBtdM/Xc1NmfOSO6Z65lj+HGiFluCK6MDJ/70SqoHPdNMrKmbYUfBFQzO0AEWVDbomy5qmVdgS49I7xGyl2ue4oqYwCFUPotiXUpLddjXennAt4PTKu8weEoJlOfdrVVuPR3fxCWIeIqLZzhUPOdVxDxRNRCeabBBUqidE/lrpdD5JzIs3uWR8Ak70byNU0YIfBOn1Rp2Ga/TcCAoXSgAI9p0cZY2hB4MVPRJbc00se7K0d5GCJhbYItKD+9kmezo3Inabhjf5d0peH6aE0fMAG+XLQtIInIyhgvS4k303EOhEoNSYq2xmI96ex5C4tBoHgqj+8Akqm/5ghUjheYg3jsCG58MP9hw/mqG4bYE7TDRGdwHwczK94svaYZw0tDwdFHtJZr/kvXSE0UVk+jBji1BXxzvui8zOLUCwJpzYl5zEizV7+2xnAwXJ/az3/Hgt1mkDDLL1QairoKo9umBXB9ra5EbvakaVRG/C7ZPkiojE5PIfLW8Wl/pMoXPetfO/dzzUS0oRVySJxtCDCwpwAp5PxLChWk3Q3FZ+uf/zJRWRbkf1Rhh3AXeV3yOOFvylPz55HJHfcZw==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <F99E1407F2B2A645BF43944AAF4CC104@namprd13.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: jernilan.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BL0PR13MB4305.namprd13.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 73dfcae4-c0d2-49ae-8909-08d8bdac486a
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Jan 2021 01:31:31.8112 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: db8d507a-ea83-464e-9d3e-9354bf2944bb
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: +BwqgmNzAD3uSeNq93YmbcIyE3J3iamlTu8Nuc/legnhLTauL07hZmCKnF8ITr2XeHncDYDi2RTE1VAgZWOBJQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR13MB3024
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/xd2ROym5Mwh8im76KYUKt05tllM>
Subject: Re: [OPSEC] I-D Action: draft-ietf-opsec-ipv6-eh-filtering-07.txt
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jan 2021 01:31:44 -0000

Greetings,

This was an interesting topic and write up. I have a few comments related to writing structure and readability.

Original:
While some operators "officially" drop packets that contain IPv6 EHs, it is possible that some of the measured packet drops be the result of improper configuration defaults, or inappropriate advice in this area.

Suggestion:
While some operators "officially" drop packets that contain IPv6 EHs; it is possible that some of the measured packet drops be the result of improper configuration defaults, or inappropriate advice in this area.

Original:
The advice in this document is aimed only at transit routers that may
   need to enforce a filtering policy based on the EHs and IPv6 options
   a packet may contain, following a "deny-list" approach, and hence is
   likely to be much more permissive that a filtering policy to be
   employed at e.g. the edge of an enterprise network.  

Suggestion:
The advice in this document is aimed only at transit routers that may
   need to enforce a filtering policy based on the EHs and IPv6 options
   a packet may contain, following a "deny-list" approach, and hence is
   likely to be much more permissive than a filtering policy to be
   employed at, e.g., the edge of an enterprise network.  

Original:
Section 4.2, first paragraph, second sentence
Essentially, packets that contain IPv6 options might need to be processed by an IPv6 router's general-purpose CPU,and hence could present a DDoS risk to that router's general-purpose CPU (and thus to the router itself).

Suggestion:
Essentially, packets that contain IPv6 options that might need to be processed by an IPv6 router's general-purpose CPU and could present a DDoS risk to that router's general-purpose CPU.

Comments:
1 - Within the last sentence of the third paragraph within the "Introduction" sections. There is a comment about "inappropriate and missing guidelines". Who dictates or decides what is inappropriate?
2 - First bullet point in Section 2.3, change "recognise" to "recognize" 
3 - Within the last paragraph of section 2.3, part of the comment ".... it is generally desirable that the sender be signaled of the packet drop...." While the idea is valid, it might be a good idea to note that such a signal might attract malicious attention or threat-actors.
4 - Section 3.4.4.4. It might be best to specify what type of IPSEC deployment is involved, host-to-host, site-to-site, site-to-host? 
5 - Section 3.4.5.5. Advise, hasn't AH been depreciated as an insecure methodology versus ESP?
  
Thank you for your kind attention,

Michael Dougherty



On 1/19/21, 4:48 PM, "internet-drafts@ietf.org" <internet-drafts@ietf.org> wrote:


    A New Internet-Draft is available from the on-line Internet-Drafts directories.
    This draft is a work item of the Operational Security Capabilities for IP Network Infrastructure WG of the IETF.

            Title           : Recommendations on the Filtering of IPv6 Packets Containing IPv6 Extension Headers at Transit Routers
            Authors         : Fernando Gont
                              Will(Shucheng) Liu
    	Filename        : draft-ietf-opsec-ipv6-eh-filtering-07.txt
    	Pages           : 37
    	Date            : 2021-01-19

    Abstract:
       This document analyzes the security implications of IPv6 Extension
       Headers and associated IPv6 options.  Additionally, it discusses the
       operational and interoperability implications of discarding packets
       based on the IPv6 Extension Headers and IPv6 options they contain.
       Finally, it provides advice on the filtering of such IPv6 packets at
       transit routers for traffic *not* directed to them, for those cases
       where such filtering is deemed as necessary.


    The IETF datatracker status page for this draft is:
    https://datatracker.ietf.org/doc/draft-ietf-opsec-ipv6-eh-filtering/

    There are also htmlized versions available at:
    https://tools.ietf.org/html/draft-ietf-opsec-ipv6-eh-filtering-07
    https://datatracker.ietf.org/doc/html/draft-ietf-opsec-ipv6-eh-filtering-07

    A diff from the previous version is available at:
    https://www.ietf.org/rfcdiff?url2=draft-ietf-opsec-ipv6-eh-filtering-07


    Please note that it may take a couple of minutes from the time of submission
    until the htmlized version and diff are available at tools.ietf.org.

    Internet-Drafts are also available by anonymous FTP at:
    ftp://ftp.ietf.org/internet-drafts/